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Abstract - In this paper we discuss the processes in the Shannon cipher system with discrete 
memoryless source and a guessing wiretapper. The wiretapper observes a cryptogram of N- 
vector of ciphered messages in the public channel and tries to guess successively the vector of 
messages within given distortion level A and small probability of error less than exp{— NE} 
with positive reliability index E. The security of the system is measured by the expected 
number of guesses which wiretapper needs for the approximate reconstruction of the vector of 
source messages. The distortion, the reliability criteria and the possibility of upper limiting 
the number of guesses extend the approach studied by Merhav and Arikan. A single-letter 
characterization is given for the region of pairs (Rl, R) (of the rate Rl of the maximum number 
of guesses L(N) and the rate R of the average number of guesses) in dependence on key rate 
Rk, distortion level A and reliability E. 

Index Terms — Cryptanalysis, guessing, wiretapper, source coding with fidelity criterion, 
rate-distortion theory, rate-reliability-distortion dependence, Shannon cipher system. 



I. Introduction 

We investigate the procedure of wiretapper's guessing with respect to fidelity and reliability 
criteria in the Shannon cipher system (see Fig. 1) [29] . 
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Fig. 1. The Shannon cipher system with a guessing wiretapper. 

Encrypted vector of messages of a discrete memoryless stationary source must be transmit- 
ted via a public channel to a legitimate receiver. The key- vector is communicated to encrypter 
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and to decrypter by special secure channel protected against wiretappers. After ciphering the 
vector of source messages by a key-vector, the cryptogram is sent over a public channel to a 
legitimate receiver, which can recover the original message on the base of the cryptogram and 
the same key-vector. A wiretapper that eavesdrops a public channel aims to decrypt the source 
messages on the base of cryptogram, within the framework of given distortion and reliability, 
knowing the source statistics and the encryption function but not the key. The wiretapper 
makes sequential guesses (suppositions), each time applying a testing mechanism by which he 
can learn whether the estimate is successful (is within a given distortion level). He stops if the 
answer is affirmative, or the number of guesses attains the prescribed limit. The restriction 
of the number of guesses is justified because it often happens that when some time passes the 
task of guessing loses its actuality or even the sense. 

The guessing problem was first considered by Massey [25], then by Arikan [3] and recently 
by Malone and Sullivan [22] • The guessing subject to fidelity criterion was studied by Arikan 
and Merhav in [I], [5], for reliability criterion by Haroutunian and Ghazaryan in [JO], for the 
Shannon cipher system with exact reconstruction of messages by wiretapper by Merhav and 
Arikan in [26] and by Hayashi and Yamamoto in [20]. The Shannon cipher system with wire- 
tapper reconstructing source messages subject to fidelity criterion was examined by Yamamoto 
in [21]. We study a combination of these problems with additional reliability criterion and re- 
striction of the number of guesses by a limit L(N) (less or equal to the number of all messages 
in X N ). The Shannon's rate-distortion concept generalization, introduced by Haroutunian and 
Mekoush |15j . consists in studying the rate-reliability-distortion dependence. We use the term 
reliability instead of the longer term error probability exponent. Applications of the reliability 
criterion ware investigated for various multiterminal systems (see [JO], [13] - [IE], [23], [30J ) . 

The security of the cipher system we measure by the expected number of guesses needed for 
reconstruction of the source messages. That approach was used also by Merhav and Arikan in 
[26J and earlier by Hellman in pTJ and by Sgarro in [27] , [2H] . But we characterize the activity 
of the system also by the rate of the maximum number of wiretapper guesses, the distortion 
level of the approximate reconstruction of messages and the value of the reliability (exponent) 
E in the upper estimate exp{— NE} of the probability of error of the wiretapper. 

The objective of this paper is investigation of the optimal correlations of noted characteris- 
tics of the described model. Abstracts of results of the paper were published in [IT] . [T2] . 

II. Definitions 

We pass to detailed definitions. The discrete memoryless source is defined as a sequence 
{X i \ a ° =1 of discrete, independent, identically distributed (i.i.d.) random variables (RVs) X 
taking values in the finite set X of messages x of the source. Let 

P* = {P*(x), x G X} 

be the source messages generating probability distribution (PD) which is supposed to be known 
also to the wiretapper. Let X = (Xi, X 2 , . . . ,X^) be a random iV-vector. Since we study the 
memoryless source the probability of the vector x = (x±, . . . , xjv), a realization of the random 
N- vector X, is 

N 

P* N (x) = I] P* N (Xn). 
n=l 

The key-source {U} is given by a sequence {C/j}^ of binary i.i.d. RVs, which take values from 
the set U = {0, 1}. The distribution P* = {1/2, 1/2} is the PD of the key bits. The key-vector 
u = (ui, «2, • • • j uk) is a vector of K bits and P 1 * x (u) = 2~ K . Let U = (Ux, 17%, . . . , Uk) be a 
key-vector of K binary RVs independent of the vector X. 
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Denote by x values of RV X representing the wiretapper reconstruction of the source message 
with values in the finite wiretapper's reproduction alphabet X, in general different from X . 

Correspondingly, by X N and X N we denote the iV-th order Cartesian powers of the sets X 
and X, by U K - the if-th order Cartesian power of the set U. 

We consider a single-letter distortion measure between source and wiretapper reproduction 
messages: 

d : X x X ->■ [0; oo) . 

It is supposed that for every xEX there exists at least one x G X such that d(x,x) = 0. The 
distortion measure between a source vector x G X N and a wiretapper reproduction vector 
x = (£i,X2, ...,£jv) G X N is defined as an average of the corresponding component distortions: 

TV 

d(x,x) = N-^dix^Xn). (1) 

n=l 

Let 

f N :X N xU K ^ W(N, K) 

be an encryption function with the set W(N, K) of all possible for this N and K cryptograms 
w. This function is assumed to be invertible providing the key is given , i. e. there exists the 
decryption function 

fx 1 : W(N, K) x U K ->■ X N . 

We denote by W(N, K) the RV with values w. For each cryptogram w = /jv(x, u) the ordered 
list of sequential guesses of the wiretapper 

Gn(w) = {xi(w),x 2 (w), . . . ,x L (at)(w)}, ?q(u>) G ^ Ar , / = 1,2, . . .,L(N), 

with the Zimif o/ i/ie number of guesses L(N) < \X\ N , is called the guessing strategy of the 
wiretapper. For a given guessing strategy £/Ar(w),w G W(iV, if), we name guessing function 
and denote by Gat(x, w) the function 

Gat : X N x W(iV, if) -)• {1, 2, 3, ... , L(N), L(N) + 1}, 

which shows index / of the first successful guessing vector x;(u>) G Qn(w), i. e. such minimal I 
that d(x, x^(w)) < A. In other words I is the quantity of sequential guesses of the wiretapper 
until the successful estimate Xj(iu) of the source vector x G X N is found. G/v( x )W) equals 
L(N) + 1 if the guessing is stopped after L(N) unsuccessful attempts. 

For each distortion level A > 0, a positive number L(N) and a guessing strategy Qn{w) let 
us consider two sets of vectors x of messages: 

the first is the set of those x which can be successfully deciphered by the wiretapper within 
L(N) guessing attempts for every key u 

A(w) = A(L(N), G N (w), A) = {x : Vu, 3/ < L(N), f N (x, u) = w, d(x, x,H) < A} 

= {x:G N (x,w)<L(N)}, 

and the other with those x, which can not be deciphered by the wiretapper with necessary 
precision after L(N) guesses 

^H = {x: 3u, Vl<L(N), f N (pc,u)=w, d(x,x,(w))>A} 
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= X — A(w) = {x : 3u, f N (jc, u) = w, G N fa w) = L(N) + 1}. 

Respectively, the probability of the wiretapper error (probability of unsuccessful guessing) will 
be defined for each w and A as 

e(L(N), g N (w), A) = 1 — P* N (A(w)) = P* N . 

Just as in other problems of information theory [18J we study the exponential decrease by N 
of the error probability with given reliability (exponent) E. With E — » we can obtain also 
results corresponding to the case of error probability upper limited by given small e > not 
decreasing exponentially by N. 

In this paper log-s and exp-s are taken to the base 2. 

Let Rk be the key rate: 

R K = TV -1 log 2 K = K/N. 

It is supposed that L(N) also increases exponentially by N. The guessing rates pair Rl,R 
will be called (from the point of view of cryptanalysis, i.e. the wiretapper) (Rk, E, A\ achievable 
for given E > 0, A > and Rk, if for every encryption function f^ there exists a sequence of 
guessing strategies Qn(w) such that 

lim inf N~ l log L(N) = R L , (2) 

N— >oo 

liminf N-HogEp* p*{G N (X,W)} = R, (3) 

and for all w G W(N, K) 

e(L(N), g N (w), A) < exp{-NE}. (4) 

Let us denote by TZq(P*, Rk, E, A) the set of all (Rk, E, A)-achievable (for wiretapper) pairs 
of guessing rates Rl, R and call it the guessingrates-keyrate-reliability-distortion region. The 
boundary of the region 1Zq(P*, Rk, E, A) we will designate by R G (P*,R K ,E,A). It contains 
information on interdependence of extremal values of rates R and Rl, so it will be convenient 
to conditionally name it guessingrate-keyrate-reliability-distortion function. 

The knowledge of such functional dependence is practically useful because it gives possibility 
to ameliorate the security of the cipher system by increasing of the key rate Rk , or by decreasing 
of the number of allowed guesses L(N). 

In case E^-oo,X = X,A = 0, and Rl = log \ X\ guessingrate-keyrate-reliability-distortion 
function becomes the guessingrate-keyrate function Rg(P*, Rk) studied by Merhav and Arikan 
in [26]. A problem studied by Yamamoto in the framework of the rate-distortion theory for 
Shannon cipher system [21] corresponds to the case L(N) = 1 with measuring of the security 
of the system by the attainable minimum distortion. 

Let P = {P(x),x G X} be a PD on X and Q = {Q(x \ x), x G X, x G X} be a conditional 
PD on X for given x, also we denote by PQ the marginal PD on X : 

PQ = {PQ(x) = ^P(x)Q{x | x), x G X}. 

X 

For given x G X denote by Qp(x \ x) the conditional PD on X such that for each A the 
following condition is fulfilled: Ep^Q p d(X, X) — P(x)Qp(x \ x)d(x,x) < A. 

X 

Let M(P, A) be the set of all PDs Q P for given A and P. 

We use the following notations for entropy, information and divergence: 

H P (X) = -Y J P(x) logP(x), 

x 
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Ip,q(X AX) = J2 P(x)Q(x I x) log 

x,x 

D{P\\P*) = £ P( x ) lo S 



EP(x)Q(x | x) 
P(z) 



P*(x)' 

For given > consider the following set of PDs P "surrounding" the generating PD P* 

A 



a(P*,E) = {P : D(P\\P*) < E}. 
We denote by R(P, A) the rate- distortion function for PD P (see [6], [8]): 



A 



R(P,A)= min / POp (lAl), 



(5) 



(6) 



and by R(P*, E, A) the rate-reliability-distortion function (introduced in [15]): for source with 
generating PD of messages P* 



A 



R(P*,E,A)= max R(P,A). 

PGa(P*,E) 



(7) 



The first emergence of R(P*, E, A) may be explained by Theorem 2 below. But we apply it to 
solving of the problem under consideration. 

In the next Section we formulate a theorem specifying the guessingrates-keyrate-reliability- 
distortion region TZg(P*, Rk, E, A). The proofs are exposed in Section IV. 

III. Formulation of the Result 

The main result of the paper is the complete characterization of the guessingrates-keyrate- 
reliability-distortion region TZg(P*,Rk,E,A). We introduce the following region: 

K G (P*,R K ,E,A) = {(R L ,R): 



log \X\ > R L > mm(R K , R(P*, E, A)), 
R L >R> max [mm(R K} R(P, A)) - D(P\\P*)]}. 

P£a(P*,E) L 



(9) 
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Fig. 2. Schematic diagram of region 7Zg(P*, Rk, E, A). 

Theorem 1: For given PD P* on X, every key rate Rk > 0, reliability E > 0, and permissible 
distortion level A > 0, 

TZ G (P\ R K , E, A) = TZ G (P\ R K , E, A). (10) 



Theorem 1 comprises the following important particular cases. Denote by Rg(P*, Rk, E, A) 
the boundary of the region 1Zg{P*, Rk, E, A). 

Corollary 1: When E — Y oo, and the strategy permits the total exhaustion of the wiretapper 
reproduction vectors set (Rl — log \X\) we get a solution of the problem suggested by Merhav 
and Arikan [26J, concerning the reconstruction of the N- vector of messages by wiretapper within 
an allowed level A of distortion from the true vector 

lim Rg(P*,R k ,E,A) 

£->oo, R L =log\X\ 

lim Rg(P*,R k ,E,A) 

E->oc, R L =\og\X\ 

= ma,x[mm(R K , R(P, A)) - D(P\\P*)}. 

Corollary 2: When E — > oo, X = X, A = 0, i.e. the wiretapper requires only the exact 
reconstruction of sequences of source messages, and Rl = log 1^1, we arrive at the result of 
Merhav and Arikan from [26] : 

lim Rg(P*,R k ,E,A) = max[wm(R K ,H P (X)) - D(P\\P*)]. 

E->oc, A=0, R L =log\X\ P 



Corollary 3: When £->0we find that 
Hm Kg{P*, Rk, E, A) = {{R L ,R) : 

E — K) 

R L >mhx(R K ,R{P*,A)), 

R > mm(R K , R(P*, A))}. 

This means that when the error probability decays by N not exponentially the maximal number 
of guesses may be greater than the average number of guesses only by a factor which does not 
grow exponentially by N. 

Explicit expressions of the guessingrate-keyrate-reliability-distortion function for particu- 
lar case of binary source and Hamming distortion measure are presented together with some 
diagrams in [TT] . 

IV. Proof of Theorem 1 

The first part of this Section will be appropriated to preliminary necessary known results 
and tools. We apply the method of types (see [7] -[9]) in the proof of the theorem so let us 
begin with the formulation of some basic concepts, notations and relations of this method. 

The type P of a vector x G X is a PD P = {P(x) = N(x\x)/N, x G X}, where N(x\x) is 
the number of repetitions of symbol x among x±, . . . ,xn- The set of all PD-s P on X, which 
are types of vectors from X N for given N, we denote by V(X, N). The set of vectors x of type 
P will be denoted by Tp (X) and also called the type. 

Let N(x, x | x, x) be the number of repetitions of the pair (x, x) in the pair of vectors (x, x). 
The conditional type of x for given x from Tp{X) is conditional PD Q = {Q(x\x), x G X , x G 
X} such that N(x,x\x, x) = N(x\x)Q(x\x) = NP(x)Q(x\x) for x G X, x G X. The set of all 
vectors x G X N of the conditional type Q for given x G T P (X) is denoted by Tpq(X\x). The 
set of possible conditional types Q for all x of the type P is denoted by Q(X, P, N). 

We use the following well known properties of types ([T]-[H]): 

\P(X,N)\<{N+1)M, (11) 
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and for each PD P' on X 



(N + I) - '*' exp{—ND(P\ \P')} < P' N (T^(X)) < exp{-ND(P\\P')}. (12) 

It turns out (as coming discussion shows) that the described guessing problem is substan- 
tially interconnected with the problem of source lossy coding subject to distortion and reliability 
criteria. The latter, according to [15J, as well as further works [H], [19], treats the Shannon 
rate-distortion coding in view of the error probability exponential decay with exponent E. This 
implies a more general optimal relation, rate- reliability-distortion one R(P*, E, A) between the 
coding parameters instead of the rate-distortion function R(P*,A). 
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Fig. 3. The source lossy coding system. 



For more details, let 

f c : *"->{l,2,...,C7(iV)} 

be an encoding mapping for source N- vectors with C(N) standing for the volume of the code. 
A backward mapping as a decoder of source messages 

g c :{l,2,---,C(N)}^X N 

is functioning with the encoder in a way to enable the probability of error for N large enough 
be restricted as follows: 

e(/ c , g c , A) £ J2 P * N {* ■ d ( x > »c(/c(x))) > A} < ex P {-NE}, (13) 

where d (x, g c {f c {x))) is distortion between transmitted source vector x and its reconstruction 
p c (/ c (x)). This distortion d we supposed to be identical to defined in (JTj) 

For a predefined pair A > and E > the rate- reliability-distortion function R(P*, E, A) 
specifies the minimum achievable code rate R > as a number to satisfy the inequality 
iV -1 log C(N) < R + e (where e > is arbitrarily chosen beforehand) for every code (f c ,9c), 
which validates ( 113"]) kept iV appropriately large. 

The analytics for R(P*, E, A) is given by the following theorem - a result constituting the 
inverse to the Marton's exponent function from [21]. 

Theorem 2 [15J: For every E > 0, A > and e > 0, 5 > there exists a sequence of such 
iV-length block codes (fcQc) for source with alphabet X, generating PD P*, and reproduction 
alphabet X that whenever iV > iVo(| X\, e, 5), then 

e(f c ,g c ,A)<eM-N(E + S)} 

and 

N - 1 log C(N) < R(P\ E,A)+e 

with R(P*, E, A) defined in ©, 0. 

Conversely, for every sequence of codes satisfying (TIB"]) the volume C(N) cannot be too 
small: 

liminf iV ~ l log C(N) > R(P*, E, A). 



7 



Theorem 2 is exposed with detailed proof in [18] . The derivation of Theorem 2 can be also 
observed from a more general result in [H] on robust descriptions system by eliminating all the 
encoders except one. We only note here that the proof is based on a random coding lemma 
about covering of types of vectors, which is a modification of the covering lemmas from pQ, [2], 

m. m, m. m- 

The proof of the following Proposition, which we have intention to apply in solution of our 
guessing problem and which concerns with coding of the vectors x of a separate type P can 
constitute the essential part of the proof of Theorem 2. 

Proposition: For each given type P G V(X, N), every x G Tp(X), A > 0, arbitrary e > 
and iV > N Q (P, e) there exists a sequence of such iV-block codes (f c ,p, g c ,p) of a volume C(P, N), 
that d(x, g c> p(f Cj p(x))) < A with 

N - 1 log C(P, N) < R(P, A) + s, 

where R(P, A) is defined in (jH]) and, conversely, for every such code 

liminf N " x log C(P,N) > R(P, A). 



We are ready now to proceed to the proof of Theorem 1. We intend to prove that for every 
Rk >0,-E'>0,A>0 the following inclusions are valid 

TZ G {P\ R K , E, A) D TZ G {P\ R K , E, A) D TZ G {P\ R K , E, A), (14) 

from where (fTUj) follows. 

The first inclusion in (13) is the converse kind statement from the viewpoint of the security 
of the system and the direct statement from the point of view of crypt analysis. We have to 
prove that there exists a guessing strategy the parameters Rl, R of which meet conditions (8) 
and (9). 

Now to prove the first inclusion in (FH|) consider a guessing strategy that ignores the cryp- 
togram. Represent X N as a union of vectors of various types 

X N = |J T^{X). 

P&V{X,N) 

We frequently consider without additional mentioning PDs P from V(X,N), which are 
types for given N. When iV — > oo these types converge to the corresponding arbitrary PD-s 
from V(X). 

Based on the positive assertion of the Proposition independently of a received w the wire- 
tapper can consider the collection of all possible decoding vectors as the guessing strategy for 

x g r P Ar (x) 

Gn{w) = {xi(u?),x 2 (u>), . . . ,it C (N,p)(w)}. 

Using the right inequality in f )12p and definition ([3]) of the set a(P*, E) we can bound above 
the probability of appearance of the source sequences of types P beyond a(P*, E + 5) for some 
5 > and N large enough as follows: 



P* N ( (J T P N (X)) < (N+ 1)W exp{-iV min . D(P\\P*)} 

P£a(P*,E+5) Pfa(P ,b+d) 

< exp{-NE -N5+ \X\ \og(N + 1)} < exp{-iV£}. 
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Therefore, to obtain the desired low level of e(L(N), Qn{w), A) it is sufficient that wiretapper 
constructs the guessing strategy Gn{w) only for vectors of types P from a(P*, E + 5). 

We now pass to construction of such strategy. It is possible to enumerate types P from 
a(P*,E + 5) as Pi, P2, . . . , P\ a (p* ,E+S)\ according to nondecreasing values of corresponding 
rate-distortion functions R(Pi, A) (for the sake of expressions simplicity we shall write only i 
instead of Pi in R(i, A), 1~ N (X) and so on): 

P(l, A) < P(2, A) < . . . < R(\a(P*, E + 5)\,A). (15) 

We designate by Qf 1111 such conditional PD from M.(i, A) that (see ([6]) and ffl5|) ) 

C(i, N) = exp{iV( min I i>Qi {X A X) + e)} = exp{AT(P(i, A) + e)}. 

Qj£M(i,A) 

Let for fixed z the set {x i m 6 T. 1 ^^ (X), m = 1, ...,C(i, N)} be such a collection of decoding 
vectors that, according to the Proposition, for iV large enough the set 

{x : x G Tj, min (X I Xj )OT ), / c ,j(x) = m, m = 1, C(i, AT)}, 

be a code for 1~ N (X). Let us consider the following guessing strategy ignoring the cryptogram 
w: 

Q* N (w) = {{x 1/m , m = 1, C(l, iV)}, {x L(7V , P)im , m = 1, C(L(iV, P), iV)}. 

The number of required guesses G^(x, w) for x E 1~ N (X), Pi e «(P*, P + 5) and for each 
u; is upper bounded for iV large enough (see (Q and f|T5l) ) 

G^(x, w) < C(i, AT) < exp{N(R(z, A) + e)}, 

and due to ([7]) for every x of type P from a(P*, E + 5) independently of w (independently of 
u): 

G* N (pc,w) < (N + 1)1*1 exp{AT(^ e max ^ P(i, A) + e)} < exp{N(R(P*, E + 5, A) + 2s)}. 

Sometimes, especially when A = 0, or Rx is small, it may be appropriate for the wiretapper 
to carry out the key-search attack : 

G*n ( w ) = {/v 1 ^' u i)> /a^O, "2), • • • , fw 1 ^' u 2^)}> 

where u 1; u 2 , . . ., u 2 k is an arbitrary numbering of all key- vectors of length K. Therefore, for 
any given cryptogram w, the number of required guesses Gjv(x, w) is upper bounded by the 
number of all key- vectors 

G£(x,w) < expP = exp{NP x }. 

This strategy gives to the wiretapper the exact x = x with the error probability equal to 0, 
but it remains to note that for each x e Tp {X) when Rx > P(P, A) there is no sense to guess 
key- vector u. That is why in that case the wiretapper may ignore w. 

When exp{— K} > exp{— A^P} (the probability of each possible key is greater than the 
desirable error probability) the wiretapper has to test all exp K keys, that is in this case 
Rl = Rk-i and P = 00. The average rate R is defined from the equality 

R = lim N- 1 logfi^f exp{NR L \ + 1)]. 

N— >oo 
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Thus, it follows that in the present instance 

R = R L = R K , (16) 



hence (J8J), fl9J) and left inclusion in ffMj) are in force. 
If 

exp{-NE} > exp{-K} = exp{-NR K } 

the wiretapper can examine fewer than exp K keys. S/he can guess successively with such rate 
of maximum number of guesses Rl that 

exp{iVi^}exp{-iVit: K } > 1 - exp{-NE}. 

Consequently for any small e > and sufficiently large iV 

exp{NR L } > exp{A^i?^}{l - exp{-iV£}} > exp{N(R K - e)}. 

With the inequality Rk > Rl, evident for the key searching, we obtain that in this case again 
Rl = Rk- But if the wiretapper tests exp{NRx} keys then the average number of guesses 
again is equal to 2~ 1 (exp{NRx} + 1). It means that f|T6|) is valid and (TH|) holds. 

Combining these two guessing strategies as Gn*(w), when strategy Gn(w), or Gn( w ) w hh 
the least number of guesses is applied, we conclude that for a given cryptogram w the number 
of sequential wiretapper guesses for the source vector x £ 1~ N (X), P t G a(P*,E + 5), for N 
large enough is upper bounded as follows 

G*x*(x,w) < minjexp K, exp{N(R(i, A) + e)} = exp{N mm (R K ,R(i, A) +e)}. 

Hence, for N large enough, (see ([7])) the required decrease of error probability is attainable by 
the wiretapper if 

L(N) < max exp{N mm(R K , R(i, A) + e)} 

~ P£a(P*,E+5) 1 

= exp{iVmin (R K , R(P*, E + S,A)+ e)}. 

Taking into account the independence of appearing of key-vectors and source message vectors 
and using f|T2|) and ffTTj) . we can derive for N large enough the upper estimate for the average 
number of guesses: 

E P *, P *{G*™(X,W)} 
= E P* K H E E ^(x)Gr(x,/,(x,u)) 

ugw k i:Pi£a(P*,E+S)nv(X,N) x eT^(X) 

< E p i 7< (u) E E P* N (x)exp{Nmm(R K ,R(P,A) + e)} 

ueU K Pea(P*,E+S)nV(X,N)xET^(X) 

E exp{Nmm(R K ,R(P,A)+e)} E P * W ( X ) 

Pea(P*,-E+a)n-p(^,iV) xeT/(X) 

E exp{iVmin (ifr, A) + e)}P* N (J?(X)) 

P£a(P*,E+8)nV(X,N) 

< E exp{N(-D(P\\P*)+min(R K ,R(P,A) + e))} 

Pea(P* , E+5)nP{X ,N) 

< max exp{N(-D(P\\P*) +mm(R K ,R(P,A) + 2e))} 

P€a(P*,E+5) 

= exp{N max (-D(P\\P*) + mm (R K , R(P, A) + 2e))\. 

P£a(P* , E+8) 
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Therefore there exists a guessing strategy the rates of which Rl,R meet the inequalities 

R L < min (R K , R(P*, E + 5, A) + e) , (17) 



R< max (—D(P\\P*) + min (R K , R(P, A) + 2e)). (18) 

PGa(P*,_B+(5) 

The pairs of values in right hand side correspond to the points in region 1Zq(P*, Rk, E+5,A), it 
means that all points from TLq(P*, R k , E+5, A) will be (Rk, E+5, A)-achievable for wiretapper 
as well. Since e and 5 can be made arbitrarily small and all present expressions are continuous 
in E, we can consider arbitrary PDs P in ffiTj) and ffl8|) and thus obtain the left inclusion in 

Now we will prove the right inclusion in (|14j) 

ft G (P*, R K , E, A) D ft G (P*, R K , E, A). 

To prove this it is necessary to show that rates Rl and R of every guessing strategy with 
keyrate Rk, reliability E, and distortion level A for arbitrary encryption algorithm must meet 
the right inequalities, correspondingly, in flSJ) and (jHJ). This is a converse statement from the 
point of view of cryptographer. 

It is supposed that the wiretapper knows algorithms of ciphering and deciphering. We may 
assume also that the guesser knows the type P of the source message x, for such an informed 
guesser any lower bounds on L(N) and Ep* t p^{G* N (X, W)} are lower bounds for uninformed 
guesser too. 

For each type P the principal is the relation of two numbers: NRk = K < NR(P, A), 
or K > NR(P, A). In the first occasion the key search is preferable for the wiretapper, in 
the second situation s/he can guess ignoring the cryptogram. In fact the wiretapper uses 
cryptogram w only after guessing of key- vector u. 

Let us start with the case 

R K <R(P,A). (19) 

Denote by Q N (w,P) a guessing strategy of the wiretapper that for any encryption function 
guarantees small error probability: e(L(N), Qn(u>, P), A) < exp{— NE}. Regardless the source 
probability distribution the optimal guessing strategy under the condition (Tl9|) is the key-search 
attack. The wiretapper can then find the exact x applying description function f^ 1 on the key 
vector and w. Of course it is supposed that guessing of the exact x is also acceptable for 
the wiretapper. We already know that in this case the minimum values for R and Rl meet 
inequalities ©, ©■ 

Now let us consider the best strategy when P G oc(P*, E + 5) and 

exp K > exp{iVP(P, A)}. (20) 

We also know that when R^ > R(P, A) the wiretapper can guess each x e T P N (X) with dis- 
tortion A and error probability less than exp{— NE} using less than exp{iVP(P, A)} guesses, 
so key-search as demanding longer work is not preferable. The question is: does another 
guessing strategy with less than exp{iV\R(P, A)} guesses exist? But every guessing strategy 
{xi(w), x 2 (w), . . . , x £ (jv,p)(w)} ignoring w may be considered as a list for the source encod- 
ing satisfying distortion and reliability criteria, so according to the converse statement of the 
Proposition for N large enough L(N, P) cannot be taken less than exp{iVP(P, A)}. 

Thus the numbers less than exp{iVmin(Px, R(P, A))} cannot be considered as limit L(N, P), 
and for the common guessing strategy inequality (jSJ) is in force. 
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By averaging we obtain lower estimate for the expected number of guesses: 

Ep. tP .{G N (X,W} 
= Ep*{E P *{G N (X,W)}} 

> E P i K (") E E P* N (x)G N (x,w) 

u£U K P£a(P* ,E+S) xeT^ (X) 

> E P i K (") E E P* N (*)G N (x,w) 

ueU K Pea(P*,E+6) y! :<zT*>(X)f)A(w) 

= p i K ( u ) E P* N (A(w))P* N (7?(X)] 

u&A K P£a(P*,E+S) 
max Gjv(x,ui) 



x £ /Pr{x,H | x£ Tp{X)f)A{w)} 

1=1 

> E P i A '( u ) E (l-exp{-NE})exp{-ND(P \\ P*)} 

ueU K P£a(P*,E+8) 

x exp{A^(min( J R x , ™n /p,q p (X AX) - e))} 

> expiiV max (minfi?^, i?(P, A) - D(P II P*) - 2e))}. 

P€a(P\E+5) 

In this calculation P is type, but with growing of it approaches arbitrary PD P. Hence for 
N large enough 

R L > N' 1 log L(N) -e > mm(R K - e, R(P*, E + 5, A) - 2e), 

i? > iV _1 logEp»p»{G Af (X, W)} - e 
> max (mm(R K ,R(P,A))-D(P \\ P*)-2e). 

P<=a(P*,E+5) 

Granting arbitrariness of e and A we obtain (jSj) and (jU]). 

It rest to remark that comparison of cases (19) and (20) shows that in condition (19) it is 
not possible to guess with A ^ and have smaller number of guesses, because approximate 
guessing will need more than exp{iVi?(P, A)} guesses, i. e. more than expjiVPx}, which is 
enough for the exact reconstruction. 

Therefore the proof of the right inclusion in f)14p is completed. 
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